SOC 2 Readiness

SOC 2 is increasingly a condition of enterprise customer engagement. We take technology companies from their current state through to a successful SOC 2 Type I or Type II audit.

What is SOC 2 and why does it matter?

SOC 2 is a security audit framework developed by the American Institute of Certified Public Accountants (AICPA). It assesses whether your systems and controls meet the Trust Services Criteria across Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Enterprise customers increasingly require a SOC 2 report as a condition of vendor approval. It is the standard due-diligence document for B2B SaaS companies selling to enterprise and government buyers.

Who needs a SOC 2 assessment?

B2B SaaS companies seeking enterprise customers who require vendor security attestation. Australian technology companies expanding into US markets where SOC 2 is a standard procurement requirement. Organisations that have received a SOC 2 requirement in a vendor questionnaire or RFP. Companies preparing for Series A or Series B fundraising where investor due diligence includes security posture review.

Type I versus Type II

1. Type I assesses whether your controls are designed appropriately at a point in time. Faster to achieve, useful as an initial signal to enterprise prospects.
2. Type II assesses whether your controls operated effectively over a review period, typically 6 to 12 months. More meaningful to sophisticated buyers and required by some categories of customer.

Most organisations start with a Type I audit and plan the Type II on a 12-month cycle.

What does SOC 2 readiness include?

1. Gap analysis against the AICPA Trust Services Criteria relevant to your scope
2. Control design and documentation
3. Policies and procedures development
4. Evidence collection framework and preparation
5. Internal readiness assessment before the audit
6. External audit support for Stage 1 and Stage 2

What you receive

1. SOC 2 readiness report documenting control gaps against the applicable Trust Services Criteria, with a risk rating for each gap and recommended remediation,
2. Control design documentation ready for external audit,
3. Evidence collection framework covering what to collect, how to organise it, and the review period required for a Type II audit, and
4. Internal readiness assessment report confirming your controls are operating as designed before your external audit begins.

Timeline

4 to 8 weeks for the readiness and gap analysis phase. The observation period for a Type II audit requires 6 to 12 months of control operation before the audit.

Pricing

Contact us to discuss scope. SOC 2 readiness pricing depends on the number of Trust Services Criteria in scope and the maturity of your existing controls. We respond within one business day.